SOC 1® – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR)
Prepared under SSAE 18 section AT-C 320, these reports are specifically intended to meet the needs of entities that use service organizations and the CPAs that audit the user entities’ financial statements. The use of these reports is restricted to the service organization’s management, user entities, and auditors.
There are two types of reports for SOC 1 engagements, Type 1 and Type 2. While both types report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description, a Type 1 report is as of a specified date (single point in time). In contrast, a Type 2 report is throughout a specified period (usually a 6-12 month period).
Many organizations will start with a SOC 1 Type 1 report before obtaining their SOC 1 Type 2 report. Armed with the results of the Type 1, these organizations are better equipped to create a remediation plan that would ensure a favorable Type 2 report.
When does it make sense for you to ask your technology provider for a copy of their SOC 1 report?
If your technology provider is hosting financial information that could affect financial reporting, I strongly recommend requesting a copy of that provider’s SOC 1 report.
SOC 2® – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (Trust Services Criteria)
Prepared under SSAE 18 sections AT-C 105 and 205, these reports provide information about the security of controls, and optionally also the availability, confidentiality, privacy and processing integrity of the systems used to process users’ data.
Management of an entity also may use the TSC to evaluate the suitability of design and operating effectiveness of such controls. As a result, these reports can play an important role in the organizational oversight, provider management programs, internal corporate governance and risk management processes, and regulatory oversight. Generally, only parties with an understanding of the service organization and its controls may use these reports.
SOC 2 reports types are similar to SOC 1. There are two types of reports, Type 1 and Type 2. A Type 1 report is as of a specified date (single point in time), whereas a Type 2 report is throughout a specified period (usually a 6-12 month period). SOC 2 reports focus on the suitability of management’s description of a service organization’s system and the design of controls utilizing the TSC.
As with SOC 1 reports, many organizations will start with a SOC 2 Type 1 report and use the results of that report to create a remediation plan that would ensure a favorable Type 2 report.
When does it make sense for you to ask your technology provider for a copy of their SOC 2 report?
If that provider is hosting non-financial information, you want to ensure that they are securely handling your data and that your data will be available to you in the manner that it was contractually written to be available to you, I strongly recommend requesting a copy of that provider’s SOC 2 report.